Compliance Diagram

Data Residency & Compliance Center

Comprehensive resources for EU data sovereignty and regulatory compliance

Welcome to the Compliance Center

A centralized resource for all compliance-related aspects of our EU-based infrastructure

SovereignRack's Compliance Center is designed to provide comprehensive information on data residency, GDPR compliance, and regulatory support for SaaS platforms. This resource is intended for legal teams, IT administrators, and compliance officers who need detailed information about our infrastructure and compliance practices.

Geographic Data Sovereignty

Data Sovereignty Concept

What Is Data Sovereignty?

Data sovereignty refers to the concept that data is subject to the laws and governance structures of the nation where it is physically stored. For many organizations, particularly those operating under EU regulations, ensuring that data remains within specific jurisdictions is a critical compliance requirement.

Our Data Sovereignty Guarantee

SovereignRack guarantees geographic data sovereignty through multiple technical and legal mechanisms:

  • Physical Infrastructure Location: All our data centers are physically located within Latvia, a member state of the European Union. This ensures that all data processing occurs exclusively within EU jurisdiction.
  • Network Architecture: Our network architecture ensures that all data paths remain within EU borders, with no routing through non-EU jurisdictions.
  • Legal Guarantees: Our service agreements include explicit commitments regarding data location and sovereignty, providing contractual assurance of EU data residency.
  • Independent Verification: Our data location claims are verified through independent audits, with results available to customers upon request.

Autonomous Availability Zones

Availability Zones Diagram

Availability Zone Architecture

Our infrastructure includes multiple autonomous availability zones within the EU region, providing robust resilience against infrastructure failures while ensuring all data remains within EU borders. Each zone operates independently with separate power, cooling, and network infrastructure, yet maintains high-speed interconnections for replication and failover.

Technical Implementation

Our availability zones are designed with the following characteristics:

  • Physical Separation: Zones are physically separated to protect against localized disasters or infrastructure failures.
  • Independent Infrastructure: Each zone has independent power, cooling, and network infrastructure.
  • High-Speed Interconnects: Zones are connected via high-bandwidth, low-latency links for efficient data replication.
  • Automated Failover: Systems can automatically fail over between zones in case of infrastructure issues.
  • Data Residency Guarantee: All zones are located within EU borders, ensuring data sovereignty during failover events.

Network Architecture & Data Flows

Network Infrastructure

EU-Only Network Infrastructure

Our network architecture is designed to ensure that all data flows remain within EU jurisdiction, with no routing through non-EU territories. This is achieved through direct peering with major European internet exchanges and careful management of routing tables.

Cross-Zone Replication

Data replication between availability zones occurs over private, dedicated network links that are entirely within EU borders. This ensures data sovereignty is maintained during replication and backup processes.

Network Security Measures

Our network infrastructure includes multiple security layers:

  • DDoS protection at network edges
  • Traffic filtering and inspection
  • Encryption for all data in transit
  • Network segmentation and micro-segmentation
  • Comprehensive logging and monitoring

Data Processing Agreements

DPA Overview

Our Data Processing Agreements (DPAs) are designed to meet the requirements of the GDPR and other applicable data protection regulations. These agreements clearly define the roles and responsibilities of both parties, with SovereignRack acting as a data processor and our customers as data controllers.

Our DPAs include provisions covering:

  • Scope and purpose of processing
  • Duration of processing
  • Nature and categories of personal data
  • Rights and obligations of both parties
  • Technical and organizational security measures
  • Subprocessor management
  • Data subject rights assistance
  • Breach notification procedures
  • Audit rights and compliance demonstration
  • Data transfer mechanisms

Requesting a DPA

To request our DPA template, please contact our legal team at legal@ambermetricsolutions.com. Include your company name and intended use case in your request.

The DPA review and execution process typically involves:

  1. Initial request for the DPA template
  2. Review of the template by your legal team
  3. Discussion of any requested modifications
  4. Finalization and execution of the agreement

We aim to complete the DPA process efficiently, with typical turnaround times of 3-5 business days from initial request to execution.

DPA Compliance Features

Our DPA includes several compliance-enhancing features:

  • Data Location Commitments: Explicit guarantees regarding the geographic location of data processing.
  • Subprocessor Management: Clear procedures for adding or changing subprocessors, with customer notification and objection rights.
  • Security Measures: Detailed description of technical and organizational security measures implemented by SovereignRack.
  • Audit Provisions: Customer rights to audit our compliance with the DPA, either directly or through independent auditors.
  • Data Subject Request Support: Procedures for assisting customers with data subject requests under GDPR.

SOC 2 Audit Reports

Security Layers

Annual SOC 2 Audits

We conduct annual SOC 2 (Service Organization Control 2) audits performed by independent third-party auditors. These audits evaluate our controls relevant to security, availability, processing integrity, confidentiality, and privacy.

Our SOC 2 audits assess our infrastructure against the Trust Services Criteria established by the American Institute of Certified Public Accountants (AICPA):

  • Security: Protection against unauthorized access
  • Availability: System availability for operation and use
  • Processing Integrity: System processing is complete, accurate, timely, and authorized
  • Confidentiality: Information designated as confidential is protected
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments

Requesting Audit Reports

SOC 2 audit summaries are available to customers and prospective customers upon request. To request access to our SOC 2 audit summary, please contact our compliance team at compliance@ambermetricsolutions.com.

Full audit reports are available to customers under non-disclosure agreement. These reports provide detailed information about our control environment, the tests performed by auditors, and the results of those tests.

Subprocessor Management

Subprocessor Policy

We maintain complete transparency regarding all entities involved in data processing. Our subprocessor management policy includes:

  • Due Diligence: Comprehensive assessment of potential subprocessors before engagement
  • Contractual Safeguards: Data processing agreements with all subprocessors that include data protection obligations at least as strict as our own
  • Regular Audits: Ongoing monitoring and periodic audits of subprocessors
  • Transparency: Maintenance of a current list of all subprocessors
  • Change Management: Advance notification to customers of any changes to our subprocessor relationships
  • Customer Rights: Customer ability to object to new subprocessors

Accessing Subprocessor Information

Our current list of subprocessors is available to customers upon request. To request this information, please contact our compliance team at compliance@ambermetricsolutions.com.

The subprocessor list includes:

  • Name and location of each subprocessor
  • Description of services provided
  • Categories of data processed
  • Compliance certifications held
  • Data transfer mechanisms in place (if applicable)

Subprocessor Changes

We provide advance notification of any changes to our subprocessor relationships. Our process includes:

  1. Notification to customers at least 30 days before adding or replacing a subprocessor
  2. Opportunity for customers to object to the change
  3. If a customer objects, we will work with them to find a mutually acceptable solution
  4. If no solution can be found, customers may terminate their agreement with us

All notifications are sent to the designated contact person for each customer account.

Compliance FAQ

How does SovereignRack ensure data never leaves the EU?

We ensure data never leaves the EU through multiple mechanisms:

  1. All physical infrastructure is located in Latvia (EU)
  2. Network architecture routes all traffic exclusively through EU territories
  3. Backup and disaster recovery sites are all within the EU
  4. Contractual commitments in our service agreements and DPAs
  5. Regular audits to verify compliance with these commitments
  6. Technical controls that prevent data transfers outside the EU

What happens if there is a conflict between EU law and non-EU law?

As a company incorporated in Latvia and operating exclusively within the EU, we are primarily subject to EU and Latvian law. In the event of a conflict between EU law and non-EU law (such as requests from non-EU authorities), we are bound to comply with EU law, including GDPR provisions regarding international data transfers and disclosure to foreign authorities.

Our legal team has established procedures for handling such conflicts, including:

  • Legal assessment of the request against EU law
  • Notification to affected customers (where legally permitted)
  • Challenging inappropriate requests through legal channels
  • Minimizing disclosure to only what is legally required
  • Transparency reporting on government requests (in aggregate)

How do your RPO/RTO guarantees work with data residency requirements?

Our Recovery Point Objective (RPO) and Recovery Time Objective (RTO) guarantees are designed to work within our data residency commitments. All backup and disaster recovery infrastructure is located within the EU, ensuring that data sovereignty is maintained even during recovery operations.

Specific technical measures include:

  • Multiple availability zones within the EU for rapid failover
  • Synchronous and asynchronous replication between EU data centers
  • Backup storage exclusively within EU borders
  • Disaster recovery sites located in different EU countries
  • Regular testing of recovery procedures to verify both functionality and compliance

How do you handle cross-border data transfers under GDPR?

Our infrastructure is designed to eliminate the need for cross-border data transfers outside the EU. All data processing occurs within EU borders, avoiding the complex requirements for international transfers under GDPR.

For transfers between EU member states, which are permitted under GDPR, we ensure appropriate safeguards are in place, including:

  • Comprehensive data processing agreements
  • Technical security measures for data in transit
  • Encryption of sensitive data
  • Access controls and authentication mechanisms
  • Audit logging of all data access and transfers

How often are your SOC 2 audits conducted?

We conduct SOC 2 Type 2 audits annually, covering a 12-month observation period. The audits are performed by independent third-party auditors certified by the AICPA.

Our audit schedule includes:

  • Annual SOC 2 Type 2 audit covering all five Trust Services Criteria
  • Interim internal assessments conducted quarterly
  • Continuous monitoring through automated security tools
  • Ad-hoc assessments following significant infrastructure changes
  • Regular penetration testing by independent security firms

Audit reports are typically available within 60 days of the completion of the audit period.

What technical measures ensure data isolation between customers?

We implement multiple technical measures to ensure complete data isolation between customers:

  • Physical Isolation: Dedicated hardware options for customers requiring complete physical separation
  • Logical Isolation: Strong tenant separation in multi-tenant environments
  • Network Isolation: VLAN separation, private networks, and network security groups
  • Storage Isolation: Encrypted storage with separate encryption keys for each customer
  • Access Controls: Strict role-based access controls with principle of least privilege
  • Monitoring: Continuous monitoring for isolation breaches or unauthorized access attempts

These isolation measures are regularly tested as part of our security assessment program.

Contact Our Compliance Team

For detailed compliance information, DPA requests, or audit reports, please contact our dedicated compliance team.

Email: compliance@ambermetricsolutions.com

Phone: +37167467919

Contact Page